Chapter 5 TOPOLOGICAL ANALYSIS OF NETWORK ATTACK VULNERABILITY 1. INTRODUCTION

Size: px
Start display at page:

Download "Chapter 5 TOPOLOGICAL ANALYSIS OF NETWORK ATTACK VULNERABILITY 1. INTRODUCTION"

Transcription

1 Chapter 5 TOPOLOGICAL ANALYSIS OF NETWORK ATTACK VULNERABILITY Sushil Jaodia, Steven Noel, Brian O Berry Center for Secure Information Systems, George Mason University Abstract: Key words: To understand overall vulnerability to network attack, one must consider attacker exploits not ust in isolation, but also in combination. That is, one must analyze how low-level vulnerabilities can be combined to achieve highlevel attack goals. In this chapter, we describe a tool that implements an integrated, topological approach to network vulnerability analysis. Our Topological Vulnerability Analysis (TVA) tool automates the labor-intensive type of analysis usually performed by penetration-testing experts. It is ideal for inexpensive what-if analyses of the impact of various network configurations on overall network security. The TVA tool includes modeling of network security conditions and attack techniques (exploits), automatic population of models via the Nessus vulnerability scanner, and analysis of exploit sequences (attack paths) leading to specific attack goals. Moreover, the tool generates a graph of dependencies among exploits that represents all possible attack paths without having to enumerate them. This representation enables highly scalable methods of vulnerability analysis, such as computing network configurations that guarantee the security of given network resources. Finally, this chapter describes some of the open technical challenges for the TVA approach. Network vulnerability analysis, network attack modeling, network hardening 1. INTRODUCTION There are a number of tools available that can scan a network for known vulnerabilities. But such tools consider vulnerabilities in isolation, independent of one another. Unfortunately, the interdependency of vulnerabilities and the connectivity of networks make such analysis limited.

2 2 Chapter 5 While a single vulnerability may not appear to pose a significant threat, a combination of such vulnerabilities may allow attackers to reach critical network resources. Currently available tools generally give few clues as to how attackers might actually exploit combinations of vulnerabilities among multiple hosts to advance an attack on a network. After separating true vulnerabilities from false alarms, the security analyst is still left with ust a set of known vulnerabilities. It can be difficult even for experienced analysts to recognize how an attacker might combine individual vulnerabilities to seriously compromise a network. For larger networks, the number of possible vulnerability combinations to consider can be overwhelming. In this chapter, we describe a tool that implements a powerful topological approach to global network vulnerability analysis. Our Topological Vulnerability Analysis (TVA) tool considers combinations of modeled attacker exploits on a network and then discovers attack paths (sequences of exploits) leading to specific network targets. The discovered attack paths allow an assessment of the true vulnerability of critical network resources. TVA automates the type of labor-intensive analysis usually performed by penetration-testing experts. Moreover, it encourages inexpensive what-if analyses, in which candidate network configurations are tested for overall impact on network security. In implementing TVA, we collect extensive information about known vulnerabilities and attack techniques. From this vulnerability/exploit database, we build a comprehensive rule base of exploits, with vulnerabilities and other network security conditions as exploit preconditions and postconditions. In the network discovery phase of TVA, network vulnerability information is automatically gathered and correlated with the exploit rule base. In the analysis phase, we submit the resulting network attack model to a custom analysis engine. This engine models network attack behavior based on exploit rules and builds a graph of precondition/postcondition dependencies among exploits. The result is a set of attack paths leading from the ial network state to a pre-determined attack goal. The next section describes the network attack problem, and Section 3 reviews related work. Section 4 describes how TVA specifically addresses the network attack problem. Section 5 applies TVA to the optimal hardening of a network, and Section 6 discusses some of the TVA technical challenges. Section 7 summarizes and concludes this chapter.

3 5. Topological analysis of network attack vulnerability 3 2. NETWORK ATTACK PROBLEM We consider the complex problem of analyzing how attackers can combine low-level vulnerabilities to meet overall attack goals. Solving this problem involves modeling networks in terms of their security conditions, modeling atomic attacker exploits as transition rules among security conditions, and computing combinations of atomic exploits that lead to given network resources. In this problem, we model the various security conditions a i of a network as binary variables. In particular, the values model the conditions necessary for the attacker s success. For example, if some a i represents a vulnerable version of a particular software component, a i = 1 means the component exists and a i = 0 means it does not. Under an assumption of monotonicity 1, a condition may transition from false to true but not back to false. That is, once a condition contributes to the success of an attack, it will always do so. Next, we model the success of some attacker exploit s s ( ai, ai,, ai k ) as a Boolean function of some set of conditions. 1 2 For simplicity and without loss of generality, we model s as a conunction, i.e., s ( ai, ai,, ai ) = a k i ai a i. If an exploit involves k disunction (e.g. more than one version of a vulnerable program), we simply divide the disunctive portions into separate conunctive exploits. The success of an exploit s then induces some set of new conditions to become true, i.e., s ( ai, a,, ) = 1 1 i a 2 i k implies a p = 1, a = 1,, = 1 1 p a 2 p. In q pre other words, s is a mapping from s = { ai ai,, a } ( s s post preconditions) to s { a, a,, a }, 1 2 = p1 p2 p q ( s s postconditions) such that if pre post all the preconditions in s are true then all the preconditions in s become true. Given a network attack model, the next step is to determine how the application of exploits (in terms of security conditions) impacts network vulnerability. This step involves discovering combinations of exploits that lead to the compromise of a given critical resource. That is, some security condition a goal is designated as the goal of the attack. An attack path is then a sequence of exploits s, s,, s 1 2 l that leads to a goal becoming true. Of particular interest are minimal attack paths, such that all exploits in the path are necessary for achieving the attack goal. Attack paths can help network administrators determine the best way to harden their networks. To ensure complete security, all attack paths must be accounted for. Some approaches in the literature do not report all paths, while other approaches explicitly enumerate all of them. For scalability, what is needed is a representation that allows the (implicit) analysis of all possible attack paths without explicitly enumerating them. For example, in i k

4 4 Chapter 5 terms of network hardening, it is sufficient to know that a particular exploit is required for all possible paths, without explicitly generating all of them. In network hardening, it is also necessary to distinguish between two types of network security conditions. One type appears only as exploit preconditions. The only way that such conditions can be true is if they are true in the ial network conditions, since they are postconditions of no exploit. These ial conditions are precisely the ones we must consider for network-hardening measures. The other type of condition appears as both exploit preconditions and postconditions. We can safely disregard such conditions for network hardening, since attacker exploits can potentially make them true despite our hardening measures. Given a set of ial conditions A { c, c, = 1 2, c k }, we therefore wish to compute assignments of condition values (hardening measures) in A that guarantee the safety of a set of goal conditions A { g, g, goal = 1 2, g p }, i.e., g i = 0, i. Moreover, we wish to compute hardening measures that minimize assignments of c i = 0, since such assignments generally have some cost associated with them, e.g., the application of a security patch or the disabling of a service. 3. PREVIOUS APPROACHES Several aspects of the TVA problem have been studied previously. While these studies have tended to focus on specific TVA-related subproblems, our goal is to develop TVA to its full potential. For example, Swiler et al. [5] presents a tool for generating network attack graphs. In our TVA tool, we apply an alternative attack graph representation that is considerably more efficient, making the graphs feasible for larger networks. Templeton and Levitt [6] and Dawkins et al. [7] describe approaches for specifying attacks that are similar in spirit to our exploit modeling. These approaches focus primarily on modeling, but we include a subsequent analysis phase. The application of model checking for network attack models was first proposed by Ritchey and Ammann [8]. More recently, Sheyner et al. [9] modified the Symbolic Model Verifier (SMV) model checker to find all possible attack paths rather than a single attack path. We experimented with SMV as an ial TVA analysis engine, because we could deploy it off the shelf. But scalability problems with SMV led us to develop a custom analysis engine. Our analysis engine applies an efficient graph-based representation of exploit dependencies, as described in Section 4.2. The application of such a representation to network vulnerability analysis was first described by Ammann et al. [10].

5 5. Topological analysis of network attack vulnerability 5 A central aspect of TVA modeling is connectivity among machines. A layered connectivity structure is needed to represent the various network architectures and protocols. Our connectivity model mirrors the Transmission Control Protocol/Internet Protocol (TCP/IP) reference model and is described in more detail in [11]. 4. DESCRIPTION OF TVA TOOL In this section we describe our TVA tool for analyzing vulnerability to network attacks. The description includes the modeling of network attacks and the analysis of network attack models for discovering attack paths to given critical resources. Figure 5-1 shows the overall architecture of our TVA tool. There are three components: (1) a knowledge base of modeled exploits, (2) a description of a network of interest, and (3) a specification of an attack scenario (attacker target, ial attack control, and network configuration changes). The TVA analysis engine merges these three components and then discovers attack paths (exploit combinations) based on the merged model. We model exploits in terms of their preconditions and postconditions. That is, each exploit is a rule in which the occurrence of a particular set of preconditions induces a particular set of postconditions. The resulting set of exploit rules comprises an attack knowledge base. The exploits in the knowledge base are generic, i.e., independent of any particular network. A network discovery component gathers configuration and connectivity information to produce a TVA network description. Here we use network discovery in a more general sense, i.e., it may include traditional network discovery tools, vulnerability scanners, and code to convert such tool outputs to a TVA network description. The network description and exploit knowledge base share a common name space, which enables the mapping of generic exploits to actual network elements. 4.1 Modeling Network Attacks Keeping pace with evolving threats and vulnerabilities requires an ongoing effort in collecting information on network attacks that can be leveraged for TVA. The set of exploit rules in the TVA knowledge base must be comprehensive and up to date, since discovered attack paths will contain only those exploits that are actually included in the knowledge base.

6 6 Chapter 5 Attacker Target Initial Attacker Control Network Configuration Changes Exploit Knowledge Capture Exploit Knowledge Base Analysis Engine Attack Paths Vulnerability and Exploit Database Network Description Vulnerability And Exploit Information On Web Network Discovery Computer Computer Server Hub Workstation Bridge Laptop Hub Network Figure 5-1. TVA Architecture Once raw information related to network attacks is gathered, we model it in terms of exploit preconditions/postconditions. For comprehensive and accurate results, this modeling requires a good understanding of attacker strategies, techniques, and tool capabilities. Exploit conditions can be any generic attributes that potentially impact network security. Our TVA model structure is a hierarchical framework that serves as a taxonomy of model elements. The TVA model structure evolved as exploits were developed for various types of vulnerabilities. The evolving structure supports the effects of firewalls and other connectivity-related devices. Also important is the modeling of machine groups, such that a successful attack against one group member applies equally to other machines in the group 2. In our experience, the TVA model structure in Figure 5-2 is flexible enough to address a full range of vulnerability types and network configuration variations. For example, we have implemented exploit rules for traffic sniffing, password capturing and cracking, file transfers, command shell access, X Window access, secure shell (ssh) public key authentication,

7 5. Topological analysis of network attack vulnerability 7 buffer overflows that grant elevated user privileges, port forwarding, machine identity spoofing, and denial-of-service attacks. In the next paragraph, we begin describing a way to automatically populate network models for TVA. However, it is much more difficult to automatically populate sets of modeled exploits. In particular, it is difficult to automatically capture the semantics needed for exploit preconditions and postconditions, because the vulnerability-reporting community has defined no standard formal language for specifying such semantics. Instead, databases of reported vulnerabilities usually rely on natural language text to describe vulnerabilities and ways of exploiting them. We have begun investigating how exploit semantics can be specified via web-based ontologies. For TVA to be practical for real networks, it is important to automate the network discovery process. We have integrated our TVA tool with the opensource Nessus [1] vulnerability scanner. Nessus maps known vulnerabilities to network machines, reporting scan results using the extensible Markup Language (XML) [2]. The XML representation allows us to leverage the extensible Stylesheet Language (XSL) [3] to easily convert Nessus output to TVA input (which is also in XML). TVA Model Network Goal Exploit Machine Precondition Postcondition Group Program Connection Access Privilege Application Transport Network Link Figure 5-2. TVA Model Structure To transform a Nessus report into a TVA network description, each reported Nessus vulnerability is cross-referenced against a list of known exploits. If a match is found, the Nessus vulnerability is applied as the name of a machine-connection precondition in the resulting network description. Nessus-based exploits may also have preconditions and/or postconditions for access type (e.g., execute or file transfer access) and privilege level (e.g., user or super user). TVA maintains network connectivity details in separate tables that describe each machine s connections to the rest of the network. This means

8 8 Chapter 5 that firewalls don t have to be modeled directly because the individual host tables implicitly address their effects. However, multiple Nessus scans are required to correctly populate the connectivity tables when firewalls are present. In general, a separate Nessus scan is required for each network segment to which a firewall connects. The network generation process merges the external and internal Nessus scans into a single coherent network description. The two-stage (external and internal) dataflow diagram for this process is shown in Figure 5-3. This process can be generalized in a straightforward fashion to handle arbitrary numbers of separate network segments. In the first step of this process, Nessus generates a vulnerability report for each network segment. In the second step, the Nessus report XML is processed against a Nessus cross-reference (nidxref.xsl), written in XSL. The second step optionally inserts configuration-specific information (contained in config.xsl) as specified by the TVA user. The nidxref.xsl stylesheet is produced by the Nessus exploit generation process described below. This stylesheet enables the network description to be optimized so that it contains only those Nessus connections for which exploits have been developed. Step 1 Step 2 Step 3 Stage 1 Nessus External attack.xml config.xsl xsltproc attack.xsl attgen.xsl null.xml tva.xsl xsltproc tva.xml Stage 2 Nessus Internal nidxref.xsl network.xml network.xsl xsltproc netgen.xsl Figure 5-3. Generation of Network Description via Nessus The last step merges the intermediate files from the second step into a single network description (tva.xml) that also incorporates an attack goal specification from the TVA user. The null.xml document is a dummy file that satisfies the XSL processor requirement [4] for an input XML file. The process for generating TVA exploits from Nessus is shown in Figure 5-4. It begins with Nessus plugins, which contain the detailed information that Nessus needs for detecting vulnerabilities. We have developed a program (np2xp) to convert the Nessus plugins list into XML.

9 5. Topological analysis of network attack vulnerability 9 The resulting plugins.xml is then processed against the conditions.xsl stylesheet. This stylesheet is produced manually through researching the plugin information, e.g., consulting the relevant data in our vulnerability/exploit database. As we discussed earlier in this section, it is difficult to totally automate this manual step. The processing against conditions.xsl inserts the preconditions and postconditions developed through this exploit-modeling process. Finally, the resulting exploits.xml is transformed into Java modules and compiled into the TVA analysis engine. This process also generates the Nessus identification cross-reference file (nidxref.xsl) described earlier, which is in turn used to generate TVA network descriptions from Nessus scans. By hand conditions.xsl Nessus plugin list nx2xp plugins.xml xsltproc exploits.xml xp2ava.xsl xsltproc xsltproc buildxref.xsl Java exploits nidxref.xsl Figure 5-4. Generation of Exploits via Nessus 4.2 Network Attack Analysis Given a particular TVA model (network description and set of exploits), we analyze the model to discover attack paths to critical network resources. From these attack paths we can then derive an expression for network safety in terms of the ial configuration. This safety expression in turn supports decisions about hardening the network against attacks. S = s 1, s2, in terms of security We begin with a set of exploits { } conditions A = { a 1, a2,}. These exploits and conditions conform to the modeling framework described in Section 4.1. The network attack model (network conditions and exploits) can be built by hand, automatically generated, or a combination of both.

10 10 Chapter 5 The attack paths we compute are based on a directed graph of the dependencies (via preconditions and postconditions) among exploits and conditions. One way is to represent conditions as graph vertices and exploits as (labeled) graph edges. The dual of this representation is also possible, with exploits as graph vertices and conditions as labeled graph edges. We employ a third representation that is a bit more flexible. This representation has both conditions and exploits as vertices. Edge labels then become unnecessary, with directed edges simply representing generic dependency. In this representation, a dependency edge e = ( a, s) going from condition a to exploit s means that s depends on a, i.e., a is a precondition of s. Similarly, a dependency edge e ( s, a) = going from exploit s to condition a means that a depends on s, i.e., a is a postcondition of s. We build the dependency graph through a multi-step process. We first build the set of all exploits Sexec S that can be successfully executed by the attacker. Working from S exec, we then build a dependency graph D starting from the ial condition exploit s. That is, we start from s, search S exec for exploits whose preconditions match the postconditions of s, add exploit dependencies for any s found found, and then remove s found from S exec. We continue by iteratively adding dependencies to D by searching S exec and removing s found from S exec. The resulting graph D represents forward dependencies from s, i.e., exploits in D are those that are forward-reachable from s. Next we do a backward traversal of the forward-reachable dependency graph D, starting from the attack goal exploit s goal. The resulting dependency graph D includes exploits that are not only reachable from the ial conditions, but are also relevant to (i.e., reachable from) the attack goal. In fact, D comprises the necessary and sufficient set of exploits with respect to the ial and goal conditions, i.e., all exploits can be executed, and all exploits contribute to the attack goal. Thus D represents the set of minimal attack paths, in which no exploit can be removed without impacting the overall attack. Given a dependency graph D, we then construct an expression that concisely represents all possible attack paths. This construction involves the recursive algebraic substitution of exploits (via precondition/postcondition dependencies) in the backward direction, starting from the goal-condition exploit s goal. That is, we start from s goal and algebraically substitute it with goal goal goal, goal k. We then substitute each of the goal-condition preconditions a goal with i the exploit that yields it as a postcondition, since these are logically equivalent. In the event that more than one exploit yields this postcondition, the conunction of its preconditions, i.e. s { a a, a }, 1 2

11 5. Topological analysis of network attack vulnerability 11 we form the disunction of all such exploits, since logically any one of them could provide the postcondition independent of the others. We continue in a recursive fashion, substituting the newly generated exploit expressions in the same way we treated the goal-condition exploit expression. In doing this recursive algebraic substitution, we make direct use of the exploit-condition dependency graph by traversing it breadth first. Once the dependency graph has been fully traversed, the result is a concise expression that represents all possible attack paths to the goal. Initial-condition assignments of false mean that the corresponding network services are unavailable. It is desirable to choose assignments with minimal impact on network services. We can immediately choose one assignment over another if all of its disabled services also appear disabled in the other set. This choice is desirable because the selected set represents a comparative increase in available services. Moreover, this choice is neutral with respect to relative priorities of network services, since no service is disabled in the chosen set in comparison to the other. This analysis yields all possible hardening measures (sets of ialcondition assignments) that have minimal impact on services. The analyst can now compare the various sets and select the one that offers the best combination of offered services. 5. EXAMPLE TVA APPLICATION In this section, we demonstrate by example how TVA combines vulnerabilities in a network to find attack paths to a particular goal. We then analyze the TVA results to determine the best way to harden the network against attack. In this example, a restrictive firewall protects the machines that support public web and services, as shown in Figure 5-5. This example shows how connectivity-limiting devices affect the TVA model and how vulnerable services on a network can be exploited even when direct access to services is blocked. The firewall implements the following policy to restrict connectivity from the attack machine: 1. Incoming ssh traffic is permitted to both maude and ned, although only ned is running the service (this is a common practice under the assumption that it is safe because ssh is a secure protocol); 2. Incoming web traffic is permitted only to maude, which is running Microsoft s Internet Information Server (IIS); 3. Incoming is permitted to ned, which is running the sendmail server;

12 12 Chapter 5 4. Incoming File Transfer Protocol (FTP) traffic is blocked because ned is running the wu_ftpd server, which has a history of vulnerabilities; 5. All outgoing traffic is permitted (this is a common practice under the assumption that outgoing traffic won t harm the internal network). Linux attack NT4.0 IIS maude Firewall Hub ned Linux sendmail ssh wu_ftpd Figure 5-5. Network Diagram for Example TVA Application The attack goal for this example is to obtain super user (root) access on ned. This is not directly possible because (1) no known exploits exist for the version of sendmail running on ned, and (2) the firewall blocks access to the vulnerable wu_ftpd service from the attack machine. The question now is whether the attack goal can be realized indirectly, i.e., through a sequence of multiple exploits. The ial locus of attack is on the attack machine, since only that machine has user access and privilege defined as an ial condition, via the TVA network description. In general, the ial attack machine will also tend to have a complete set of programs used by the exploits in the model. Network connectivity is represented at the machine level by listing all possible connections from the given machine to all other destination machines in the network description. The effect of a firewall or other connectivity-limiting device is to reduce the size of each machine s connectivity table, but such devices generally will not appear as specific machines in the network description unless they run their own services to which other machines can connect. For this scenario, the firewall did not support any such services. The attack goal is represented in the network description as a distinguished machine that includes only the network resource(s) associated with the goal. In this example, we are only testing whether execute access (the ability to run programs) with super user (root) privilege can be obtained

13 5. Topological analysis of network attack vulnerability 13 on ned. However, in general it is possible to test any other conditions, such as the appearance of any new connectivity or program in its configuration. Figure 5-6 shows the resulting TVA attack graph for this example. For clarity, the specific exploit preconditions and postconditions are omitted from the figure, but they are described in Table 5-1. Despite the firewall policy designed to protect it, the external attacker obtains execute access with super user privilege on ned. The attack graph shows that the ial exploitation of the IIS vulnerability on maude ultimately leads to the compromise of ned, e.g., the following: 1. The IIS Remote Data Services (RDS) exploit enables the attacker to execute programs on maude; 2. Given the access provided by the IIS RDS exploit, the remote copy 3 (rcp) program on maude is executed to download a rootkit 4 from the attack machine; 3. A port-forwarding program from the rootkit is then executed to set up access from the attack machine through maude to the FTP service on ned; 4. Finally, the wu_ftpd exploit is executed through the forwarded connection against ned to obtain root access there. Figure 5-6. Attack Graph for Example Application of TVA Finding such attack paths is a unique TVA capability. No commercial tool connected outside the firewall is currently capable of reporting more

14 14 Chapter 5 than an IIS vulnerability on maude. Connected inside the firewall, a commercial tool would also report the vulnerable wu_ftpd service, but human analysis would still be required to build an attack path from the outside through maude to ned. This would be an easy enough exercise for an experienced penetration tester working on such a small network. But it would be infeasible for networks in which voluminous outputs must be analyzed manually for large numbers of machines. Table 5-1. Exploits for Example Application of TVA Exploit Description Preconditions Postcondition IISRDS One of many exploits associated with Microsoft s 1. Execute access on attack machine 2. Attack machine has Ability to execute programs on Internet Information connectivity to IIS service victim at super Server (IIS) on victim user privilege RCPDOWNLOAD WUFTPDX PORTFORWARD Binds rsh access to the ability to transfer programs (e.g., rootkits) from victim machine using the rcp program Yields super user on many Unix platforms that run the Washington University FTP daemon, wu-ftpd Enables attacker to work around firewall when foothold obtained on an internal machine. One of few exploits that implements middleman machine to direct exploits against victim machine. 1. Execute access on attack machine 2. rcp program on attack machine 3. Attack machine has connectivity to victim s rsh service 1. Execute access on attack machine 2. wu-ftpd exploit program exists on attack machine 3. Attack machine has connectivity to FTP service on victim 1. Middleman and victim are different machines (implicit, not in attack graph) 2. Execute access on middleman 3. Port-forwarding program on middleman 4. Attacker connectivity to transport-layer (unused) port on middleman level Copies victim machine s programs to attack machine Super user execute access on victim Attacker acquires middleman s transport layer connectivity to victim From a TVA attack graph, we can immediately compute an expression for the attack-goal conditions in terms of the ial conditions. This process involves traversing the attack graph in a backwards direction, algebraically substituting exploits with those exploits that satisfy their preconditions. This computation is done recursively, with the recursion ending when an exploit s precondition is an ial condition.

15 5. Topological analysis of network attack vulnerability 15 As we explained in Section 2, the only conditions relevant to network hardening are the ial conditions. An expression g ( c, c, 1 2, c k ) for the attack goal in terms of ial conditions C { c, c, = 1 2, c k } then provides a way to determine if a particular network configuration is guaranteed safe with respect to the attack goal. From the particular form of g, we can determine the safe assignments of A. Figure 5-7 again shows the TVA attack graph for this example, this time with the ial conditions included. For convenience, the figure includes algebraic symbols that correspond to our analysis of network hardening. In particular, exploits are denoted by Greek letters, and ial conditions are denoted by c i. By examining Figure 5-7, we can traverse the attack graph backwards, starting from the goal condition g, and recursively perform algebraic substitution according to precondition/postcondition dependencies. g = δ + φ = = = ( α + β ) χc6 + εc8c9 ( α + αc3 ) χc6 + ( α + β ) χc7c α( α + β ) c c c + α( α + β ) = αc c c = c c c = c c c c c c ( c + c c c ) αc c c c c c c c c c c c c 4 9 c c c c c (1) c 3 c 1 c 2 c c 4 5 c 6 β c 7 χ δ ε φ g α c 8 c 9 Figure 5-7. Attack Graph with Exploit Preconditions Included

16 16 Chapter 5 In terms of the problem domain, some ial conditions are outside the network administrator s control. In particular, the administrator has no control over conditions like programs and user access/privilege on the attacker s machine. Thus we have c 2 = c8 = c9 = 1, so that Eq. (1) becomes ( c ) g = c + (2) 1c4c5 6 c7 From Eq. (2), four assignments of ial conditions are apparent that provide network safety. While other safe assignments are also possible, these four minimize the cost of hardening the example network: 1. Patch or disable the IIS RDS web server on maude ( c 1 = 0 ); 2. Disable outgoing rsh from maude ( c 4 = 0 ); 3. Remove the rcp program from maude ( c = 0 ); 5 4. Patch or disable wu_ftpd from maude to ned, and block all unused ports on maude ( c 6 + c7 = 0 ). When considered separately, each of these four options has a minimal hardening cost, in the sense that no hardening measure can be ignored without eopardizing the attack goal. The network administrator can then choose the option that has overall minimum cost, based on the relative costs of the individual hardening measures. 6. TECHNICAL CHALLANGES The TVA modeling framework supports the full range of network and exploit information needed for realistic scenarios. But to make TVA feasible for large networks, automatic model generation methods are needed. As described in Section 4.1, we currently create TVA network descriptions via the Nessus vulnerability scanner. But Nessus lacks the ability to provide certain types of information. For example, with Nessus we must assume that firewalls enforce generic policies for the individual network segments. Although this may be an acceptable approximation of firewall effects, real policies often include host-specific rules. While host-specific rules could be handled by individual Nessus scans from each machine in the network, this procedure is not very efficient. A more efficient solution would be to build TVA models directly from firewall filter tables. Also, while transport and application layer information is available from Nessus, additional topology information is needed to delineate between the link and network TCP/IP layers. Although Nessus can guess a remote machine s operating system, it is not always correct and often cannot determine a specific version. Many

17 5. Topological analysis of network attack vulnerability 17 exploits depend on detailed information about the operating system. Vulnerabilities are often removed by applying a patch to the applicable operating system or application. Patch-level information is therefore required for accurate exploit modeling. Nessus scans for vulnerabilities from a remote location, so it can only detect network service information. However, many vulnerabilities are local and are not exploitable or detectable over a network. Processes are required to gather program-specific information from individual hosts, e.g., from host configuration files. For example, some trust relationship and group membership information is difficult to obtain remotely. This information is valuable for TVA, to determine whether an exploit is really possible or whether it affects machines other than the immediate target. As one can imagine, TVA attack graphs might become huge for large, poorly secured networks. Analytical and visual methods are necessary for handling such (quadratic) attack-graph complexity, such as aggregating parts of the graph as summary information or culling parts of the graph not of immediate interest. We have developed a prototype drill-down visualization tool that shows great promise in solving the attack graph management problem. A current bottleneck for TVA implementation is the process of modeling exploits manually. The problem is that much of the domain knowledge is available only as natural-language text. What is needed are exploit specifications written in a standard, machine-understandable language. It appears that this requirement can be met by the emerging Semantic Web [12] under development by the World Wide Web Consortium. The vision is that web content of the future will be defined and linked in a way that it can be used for automation, integration, and reuse across various applications, not ust for display purposes as with Hypertext Markup Language (HTML). With the Semantic Web, standardized rule-based markup provides the actual semantics (meaning) for web content. TVA has potential application beyond penetration testing and network hardening. For example, it can be applied to the tuning of intrusion detection systems. In practice, network administrators must often balance the risk of attack against the need to offer services. Even with network hardening guided by TVA, administrators may still decide to tolerate some residual network vulnerability from services they absolutely need. The intrusion detection system could be configured to consider only this residual vulnerability and thus generate alarms only in the context of genuine threats to critical network resources. At a minimum, vulnerabilities that do not significantly contribute to overall risk can be ignored, reducing the effective false-positive rate. It may

18 18 Chapter 5 also be possible to infer new intrusion signatures from TVA results, in turn increasing the number of true positive detections. But there is a limit to what can be accomplished with network hardening and intrusion detection. The need to offer services is at odds with network hardening, and effective intrusion detection will remain challenging, particularly in the face of novel attacks. To augment methods of avoidance and detection, TVA can be applied to attack response, both defensive and offensive. For defensive response, the network is dynamically hardened in the face of attacks. A less conservative approach is to launch an offensive counterattack in response to an attack against one s own network. While approach may be extreme, it could be the only available option for allowing a network to function after being attacked. 7. SUMMARY AND CONCLUSIONS This chapter describes a tool for Topological Vulnerability Analysis (TVA), a powerful approach to global network vulnerability analysis. The tool analyzes dependencies among modeled attacker exploits, in terms of attack paths (sequences of exploits) to specific network targets. While the current generation of commercial vulnerability scanners generates voluminous information on vulnerabilities considered in isolation, they give little clues as to how attackers might combine them to advance an attack. The tool automates the type of labor-intensive analysis usually performed by penetration-testing experts, providing a thorough understanding of the vulnerabilities of critical network resources. It encourages inexpensive what-if analyses of the impact of candidate network configurations on overall network security. Also, the tool employs a comprehensive database of known vulnerabilities and attack techniques. This database includes a comprehensive rule base of exploits, with vulnerabilities and other network security conditions serving as exploit preconditions and postconditions. During TVA network discovery, network vulnerability information is gathered and correlated with exploit rules via the open-source Nessus vulnerability scanner. Our custom TVA analysis engine then models network attack behavior based on the exploit rules, building a graph of precondition/postcondition dependencies. This graph provides attack paths leading from the ial network state to a specified goal state. From the attack graph, we can determine safe network configurations with respect to the goal, including those that maximize available network services. Our TVA tool provides powerful new capabilities for network vulnerability analysis. It enables network administrators to choose network

19 5. Topological analysis of network attack vulnerability 19 configurations that are provably secure and minimize the cost of network hardening. TVA also has potential application to other key areas of network security, such as identifying possible attack responses and tuning intrusion detection systems. ACKNOWLEDGEMENTS We gratefully acknowledge the software development efforts of Michael Jacobs in support of this chapter. NOTES 1. In the context of network security, our assumption of monotonicity is quite reasonable. It simply means that once an attacker gains control of a resource, he need never relinquish it in order to further advance the attack. In other words, no backtracking is necessary. 2. An example of machine group effects is that guessing a Windows NT domain user password would probably allow login to all machines in the domain. 3. The rcp program is installed by default with Windows NT A rootkit is a hacker term that refers to tools an attacker often transfers to a compromised machine for the purpose of expanding access or escalating privileges. REFERENCES 1. R. Deraison, Nessus, retrieved May 2003, from World Wide Web Consortium, Extensible Markup Language (XML), retrieved May 2003, from World Wide Web Consortium, The Extensible Stylesheet Language (XSL), retrieved May 2003, from World Wide Web Consortium, XSL Transformations (XSLT) Version 1.0, retrieved May 2003, from L. Swiler, C. Phillips, D. Ellis, and S. Chakerian, Computer-Attack Graph Generation Tool, in Proceedings of the DARPA Information Survivability Conference & Exposition II, Anaheim, California, June S. Templeton, K. Levitt, A Requires/Provides Model for Computer Attacks, in Proceedings of the New Security Paradigms Workshop, Cork, Ireland, September J. Dawkins, C. Campbell, and J. Hale, Modeling Network Attacks: Extending the Attack Tree Paradigm, in Proceedings of the Workshop on Statistical and Machine Learning Techniques in Computer Intrusion Detection, Johns Hopkins University, June R. Ritchey, P. Ammann, Using Model Checking to Analyze Network Vulnerabilities, in Proceedings of IEEE Symposium on Security and Privacy, Oakland, California, May 2000.

20 20 Chapter 5 9. O. Sheyner, J. Haines, S. Jha, R. Lippmann, J. Wing, Automated Generation and Analysis of Attack Graphs, in Proceedings of IEEE Symposium on Security and Privacy, Oakland, California, May P. Ammann, D. Wiesekera, S. Kaushik, Scalable, Graph-Based Network Vulnerability Analysis, in Proceedings of CCS 2002: 9th ACM Conference on Computer and Communications Security, Washington, DC, November R. Ritchey, B. O Berry and S. Noel, Representing TCP/IP Connectivity for Topological Analysis of Network Security, in Proceedings of 18th Annual Computer Security Applications Conference, Las Vegas, Nevada, December World Wide Web Consortium, Semantic Web, retrieved May 2003, from

Representing TCP/IP Connectivity For Topological Analysis of Network Security

Representing TCP/IP Connectivity For Topological Analysis of Network Security Representing TCP/IP Connectivity For Topological Analysis of Network Security Ronald Ritchey 1 Brian O Berry Steven Noel ritchey_ronald@bah.com boberry@gmu.edu snoel@gmu.edu Center For Secure Information

More information

Advances in Topological Vulnerability Analysis

Advances in Topological Vulnerability Analysis Advances in Topological Vulnerability Analysis Steven Noel 1, Matthew Elder 2, Sushil Jajodia 1, Pramod Kalapa 1, Scott O Hare 3, Kenneth Prole 3 1 Center for Secure Information Systems, George Mason University,

More information

How To Analyze And Detect A Network Attack Through A Network Graph

How To Analyze And Detect A Network Attack Through A Network Graph Advanced Vulnerability Analysis and Intrusion Detection Through Predictive Attack Graphs Steven Noel and Sushil Jajodia Center for Secure Information Systems, George Mason University, Fairfax, VA, USA

More information

Scalable, Graph-Based Network Vulnerability Analysis

Scalable, Graph-Based Network Vulnerability Analysis Scalable, Graph-Based Network Vulnerability Analysis Paul Ammann ISE Department, MS 4A4 Center for Secure Inf. Sys. George Mason University Fairfax, VA 22030, U.S.A. +1 703 993 1660 pammann@gmu.edu Duminda

More information

Proactive Intrusion Prevention and Response via Attack Graphs

Proactive Intrusion Prevention and Response via Attack Graphs Proactive Intrusion Prevention and Response via Attack Graphs Steven Noel and Sushil Jajodia Center for Secure Information Systems, George Mason University {snoel, jajodia}@gmu.edu Network defense today

More information

Topological Vulnerability Analysis

Topological Vulnerability Analysis Topological Vulnerability Analysis Sushil Jajodia and Steven Noel Traditionally, network administrators rely on labor-intensive processes for tracking network configurations and vulnerabilities. This requires

More information

Attack Graph Techniques

Attack Graph Techniques Chapter 2 Attack Graph Techniques 2.1 An example scenario Modern attack-graph techniques can automatically discover all possible ways an attacker can compromise an enterprise network by analyzing configuration

More information

Optimal IDS Sensor Placement And Alert Prioritization Using Attack Graphs

Optimal IDS Sensor Placement And Alert Prioritization Using Attack Graphs Optimal IDS Sensor Placement And Alert Prioritization Using Attack Graphs Steven Noel and Sushil Jajodia Center for Secure Information Systems George Mason University, Fairfax, Virginia Abstract We optimally

More information

VEA-bility Security Metric: A Network Security Analysis Tool

VEA-bility Security Metric: A Network Security Analysis Tool VEA-bility Security Metric: A Network Security Analysis Tool Melanie Tupper Dalhousie University tupper@cs.dal.ca A. Nur Zincir-Heywood Dalhousie University zincir@cs.dal.ca Abstract In this work, we propose

More information

Attack graph analysis using parallel algorithm

Attack graph analysis using parallel algorithm Attack graph analysis using parallel algorithm Dr. Jamali Mohammad (m.jamali@yahoo.com) Ashraf Vahid, MA student of computer software, Shabestar Azad University (vahid.ashraf@yahoo.com) Ashraf Vida, MA

More information

Metrics Suite for Enterprise-Level Attack Graph Analysis

Metrics Suite for Enterprise-Level Attack Graph Analysis Metrics Suite for Enterprise-Level Attack Graph Analysis Cyber Security Division 2012 Principal Investigators Meeting October 11, 2012 Sushil Jajodia (PI), Steven Noel (co-pi) Metrics Suite for Enterprise-Level

More information

How To Test Performance Of A Network Attack Graph On A Network

How To Test Performance Of A Network Attack Graph On A Network Performance Impact of Connectivity Restrictions and Increased Vulnerability Presence on Automated Attack Graph Generation James Cullum, Cynthia Irvine and Tim Levin Naval Postgraduate School, Monterey,

More information

REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB

REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB Conducted: 29 th March 5 th April 2007 Prepared By: Pankaj Kohli (200607011) Chandan Kumar (200607003) Aamil Farooq (200505001) Network Audit Table of

More information

SY0-201. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

SY0-201. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. From a high-level standpoint, attacks on computer systems and networks can be grouped

More information

Last Updated: July 2011. STATISTICA Enterprise Server Security

Last Updated: July 2011. STATISTICA Enterprise Server Security Last Updated: July 2011 STATISTICA Enterprise Server Security STATISTICA Enterprise Server Security Page 2 of 10 Table of Contents Executive Summary... 3 Introduction to STATISTICA Enterprise Server...

More information

Network and Host-based Vulnerability Assessment

Network and Host-based Vulnerability Assessment Network and Host-based Vulnerability Assessment A guide for information systems and network security professionals 6600 Peachtree-Dunwoody Road 300 Embassy Row Atlanta, GA 30348 Tel: 678.443.6000 Toll-free:

More information

Penetration Testing Report Client: Business Solutions June 15 th 2015

Penetration Testing Report Client: Business Solutions June 15 th 2015 Penetration Testing Report Client: Business Solutions June 15 th 2015 Acumen Innovations 80 S.W 8 th St Suite 2000 Miami, FL 33130 United States of America Tel: 1-888-995-7803 Email: info@acumen-innovations.com

More information

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to

More information

THE ROLE OF IDS & ADS IN NETWORK SECURITY

THE ROLE OF IDS & ADS IN NETWORK SECURITY THE ROLE OF IDS & ADS IN NETWORK SECURITY The Role of IDS & ADS in Network Security When it comes to security, most networks today are like an egg: hard on the outside, gooey in the middle. Once a hacker

More information

Complete Web Application Security. Phase1-Building Web Application Security into Your Development Process

Complete Web Application Security. Phase1-Building Web Application Security into Your Development Process Complete Web Application Security Phase1-Building Web Application Security into Your Development Process Table of Contents Introduction 3 Thinking of security as a process 4 The Development Life Cycle

More information

Vulnerability Assessment Report Format Data Model

Vulnerability Assessment Report Format Data Model I3E'2005 Vulnerability Assessment Report Format Data Model Dr.D.Polemi G.Valvis Issues Attack paradigm Vulnerability exploit life cycle Vulnerability assessment process Challenges in vulnerability assessment

More information

Cisco Advanced Services for Network Security

Cisco Advanced Services for Network Security Data Sheet Cisco Advanced Services for Network Security IP Communications networking the convergence of data, voice, and video onto a single network offers opportunities for reducing communication costs

More information

Measuring the Overall Security of Network Configurations Using Attack Graphs

Measuring the Overall Security of Network Configurations Using Attack Graphs Measuring the Overall Security of Network Configurations Using Attack Graphs Lingyu Wang 1, Anoop Singhal 2, and Sushil Jajodia 3 1 Concordia Institute for Information Systems Engineering Concordia University

More information

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

ITEC441- IS Security. Chapter 15 Performing a Penetration Test 1 ITEC441- IS Security Chapter 15 Performing a Penetration Test The PenTest A penetration test (pentest) simulates methods that intruders use to gain unauthorized access to an organization s network and

More information

Nessus. A short review of the Nessus computer network vulnerability analysing tool. Authors: Henrik Andersson Johannes Gumbel Martin Andersson

Nessus. A short review of the Nessus computer network vulnerability analysing tool. Authors: Henrik Andersson Johannes Gumbel Martin Andersson Nessus A short review of the Nessus computer network vulnerability analysing tool Authors: Henrik Andersson Johannes Gumbel Martin Andersson Introduction What is a security scanner? A security scanner

More information

Windows Remote Access

Windows Remote Access Windows Remote Access A newsletter for IT Professionals Education Sector Updates Issue 1 I. Background of Remote Desktop for Windows Remote Desktop Protocol (RDP) is a proprietary protocol developed by

More information

Virtual Terrain: A Security-Based Representation of a Computer Network

Virtual Terrain: A Security-Based Representation of a Computer Network Virtual Terrain: A Security-Based Representation of a Computer Network Jared Holsopple* a, Shanchieh Yang b, Brian Argauer b a CUBRC, 4455 Genesee St, Buffalo, NY, USA 14225; b Dept. of Computer Engineering,

More information

Building A Secure Microsoft Exchange Continuity Appliance

Building A Secure Microsoft Exchange Continuity Appliance Building A Secure Microsoft Exchange Continuity Appliance Teneros, Inc. 215 Castro Street, 3rd Floor Mountain View, California 94041-1203 USA p 650.641.7400 f 650.641.7401 ON AVAILABLE ACCESSIBLE Building

More information

Mutating Network Models to Generate Network Security Test Cases

Mutating Network Models to Generate Network Security Test Cases Mutating Network Models to Generate Network Security Test Cases Ronald W. Ritchey National Security Team Booz Allen & Hamilton Falls Church, Virginia Abstract Security testing is normally limited to the

More information

The Nexpose Expert System

The Nexpose Expert System Technical Paper The Nexpose Expert System Using an Expert System for Deeper Vulnerability Scanning Executive Summary This paper explains how Rapid7 Nexpose uses an expert system to achieve better results

More information

Network Mission Assurance

Network Mission Assurance Network Mission Assurance Michael F. Junod, Patrick A. Muckelbauer, PhD, Todd C. Hughes, PhD, Julius M. Etzl, and James E. Denny Lockheed Martin Advanced Technology Laboratories Camden, NJ 08102 {mjunod,pmuckelb,thughes,jetzl,jdenny}@atl.lmco.com

More information

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained home Network Vulnerabilities Detail Report Grouped by Vulnerability Report Generated by: Symantec NetRecon 3.5 Licensed to: X Serial Number: 0182037567 Machine Scanned from: ZEUS (192.168.1.100) Scan Date:

More information

Course Title: Penetration Testing: Security Analysis

Course Title: Penetration Testing: Security Analysis Course Title: Penetration Testing: Security Analysis Page 1 of 9 Course Description: The Security Analyst Series from EC-Council Press is comprised of five books covering a broad base of topics in advanced

More information

Pension Benefit Guaranty Corporation. Office of Inspector General. Evaluation Report. Penetration Testing 2001 - An Update

Pension Benefit Guaranty Corporation. Office of Inspector General. Evaluation Report. Penetration Testing 2001 - An Update Pension Benefit Guaranty Corporation Office of Inspector General Evaluation Report Penetration Testing 2001 - An Update August 28, 2001 2001-18/23148-2 Penetration Testing 2001 An Update Evaluation Report

More information

Penetration Testing. NTS330 Unit 1 Penetration V1.0. February 20, 2011. Juan Ortega. Juan Ortega, juaorteg@uat.edu. 1 Juan Ortega, juaorteg@uat.

Penetration Testing. NTS330 Unit 1 Penetration V1.0. February 20, 2011. Juan Ortega. Juan Ortega, juaorteg@uat.edu. 1 Juan Ortega, juaorteg@uat. 1 Penetration Testing NTS330 Unit 1 Penetration V1.0 February 20, 2011 Juan Ortega Juan Ortega, juaorteg@uat.edu 1 Juan Ortega, juaorteg@uat.edu 2 Document Properties Title Version V1.0 Author Pen-testers

More information

Overview. Firewall Security. Perimeter Security Devices. Routers

Overview. Firewall Security. Perimeter Security Devices. Routers Overview Firewall Security Chapter 8 Perimeter Security Devices H/W vs. S/W Packet Filtering vs. Stateful Inspection Firewall Topologies Firewall Rulebases Lecturer: Pei-yih Ting 1 2 Perimeter Security

More information

A Review on Zero Day Attack Safety Using Different Scenarios

A Review on Zero Day Attack Safety Using Different Scenarios Available online www.ejaet.com European Journal of Advances in Engineering and Technology, 2015, 2(1): 30-34 Review Article ISSN: 2394-658X A Review on Zero Day Attack Safety Using Different Scenarios

More information

Intrusion Detection in AlienVault

Intrusion Detection in AlienVault Complete. Simple. Affordable Copyright 2014 AlienVault. All rights reserved. AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat

More information

Redhawk Network Security, LLC 62958 Layton Ave., Suite One, Bend, OR 97701 sales@redhawksecurity.com 866-605- 6328 www.redhawksecurity.

Redhawk Network Security, LLC 62958 Layton Ave., Suite One, Bend, OR 97701 sales@redhawksecurity.com 866-605- 6328 www.redhawksecurity. Planning Guide for Penetration Testing John Pelley, CISSP, ISSAP, MBCI Long seen as a Payment Card Industry (PCI) best practice, penetration testing has become a requirement for PCI 3.1 effective July

More information

A PRACTICAL APPROACH TO INCLUDE SECURITY IN SOFTWARE DEVELOPMENT

A PRACTICAL APPROACH TO INCLUDE SECURITY IN SOFTWARE DEVELOPMENT A PRACTICAL APPROACH TO INCLUDE SECURITY IN SOFTWARE DEVELOPMENT Chandramohan Muniraman, University of Houston-Victoria, chandram@houston.rr.com Meledath Damodaran, University of Houston-Victoria, damodaranm@uhv.edu

More information

Guideline on Auditing and Log Management

Guideline on Auditing and Log Management CMSGu2012-05 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Auditing and Log Management National Computer Board Mauritius

More information

INSIDER THREAT ANALYSIS USING INFORMATION-CENTRIC MODELING

INSIDER THREAT ANALYSIS USING INFORMATION-CENTRIC MODELING Chapter 2 INSIDER THREAT ANALYSIS USING INFORMATION-CENTRIC MODELING D. Ha, S. Upadhyaya, H. Ngo, S. Pramanik, R. Chinchani and S. Mathew Abstract Capability acquisition graphs (CAGs) provide a powerful

More information

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS 1 FIVE KEY RECOMMENDATIONS During 2014, NTT Group supported response efforts for a variety of incidents. Review of these engagements revealed some observations

More information

EXTRA. Vulnerability scanners are indispensable both VULNERABILITY SCANNER

EXTRA. Vulnerability scanners are indispensable both VULNERABILITY SCANNER Vulnerability scanners are indispensable both for vulnerability assessments and penetration tests. One of the first things a tester does when faced with a network is fire up a network scanner or even several

More information

VEA-bility Analysis of Network Diversification

VEA-bility Analysis of Network Diversification VEA-bility Analysis of Network Diversification Melanie Tupper Supervised by Nur Zincir-Heywood Faculty of Computer Science, Dalhousie University tupper@cs.dal.ca zincir@cs.dal.ca August 31, 2007 Abstract:

More information

Inspection of Vulnerabilities through Attack Graphs and Analyzing Security Metrics Used For Measuring Security in A Network.

Inspection of Vulnerabilities through Attack Graphs and Analyzing Security Metrics Used For Measuring Security in A Network. Inspection of Vulnerabilities through Attack Graphs and Analyzing Security Metrics Used For Measuring Security in A Network. R.Dhaya 1 D.Deepika 2 Associate Professor, Department of CSE, Velammal Engineering

More information

Modelling and Analysing Network Security Policies in a Given Vulnerability Setting

Modelling and Analysing Network Security Policies in a Given Vulnerability Setting Modelling and Analysing Network Security Policies in a Given Vulnerability Setting Roland Rieke Fraunhofer Institute for Secure Information Technology SIT, Darmstadt, Germany rieke@sit.fraunhofer.de Abstract.

More information

CTS2134 Introduction to Networking. Module 8.4 8.7 Network Security

CTS2134 Introduction to Networking. Module 8.4 8.7 Network Security CTS2134 Introduction to Networking Module 8.4 8.7 Network Security Switch Security: VLANs A virtual LAN (VLAN) is a logical grouping of computers based on a switch port. VLAN membership is configured by

More information

Toward Measuring Network Security Using Attack Graphs

Toward Measuring Network Security Using Attack Graphs Toward Measuring Network Security Using Attack Graphs Lingyu Wang Concordia Institute for Information Systems Engineering Concordia University Montreal, QC H3G 1M8, Canada wang@ciise.concordia.ca Anoop

More information

NETWORK PENETRATION TESTING

NETWORK PENETRATION TESTING Tim West Consulting 6807 Wicklow St. Arlington, TX 76002 817-228-3420 Twest@timwestconsulting.com OVERVIEW Tim West Consulting Tim West Consulting is a full service IT security and support firm that specializes

More information

A43. Modern Hacking Techniques and IP Security. By Shawn Mullen. Las Vegas, NV IBM TRAINING. IBM Corporation 2006

A43. Modern Hacking Techniques and IP Security. By Shawn Mullen. Las Vegas, NV IBM TRAINING. IBM Corporation 2006 IBM TRAINING A43 Modern Hacking Techniques and IP Security By Shawn Mullen Las Vegas, NV 2005 CSI/FBI US Computer Crime and Computer Security Survey 9 out of 10 experienced computer security incident in

More information

Firewalls, Tunnels, and Network Intrusion Detection

Firewalls, Tunnels, and Network Intrusion Detection Firewalls, Tunnels, and Network Intrusion Detection 1 Part 1: Firewall as a Technique to create a virtual security wall separating your organization from the wild west of the public internet 2 1 Firewalls

More information

System Specification. Author: CMU Team

System Specification. Author: CMU Team System Specification Author: CMU Team Date: 09/23/2005 Table of Contents: 1. Introduction...2 1.1. Enhancement of vulnerability scanning tools reports 2 1.2. Intelligent monitoring of traffic to detect

More information

Cyberspace Security Issues and Challenges

Cyberspace Security Issues and Challenges Cyberspace Security Issues and Challenges Manu Malek, Ph.D. Department of Computer Science Stevens Institute of Technology mmalek@stevens.edu MSU Seminar, 10/06/03 M. Malek 1 Outline Security status Security

More information

CMPT 471 Networking II

CMPT 471 Networking II CMPT 471 Networking II Firewalls Janice Regan, 2006-2013 1 Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access

More information

GVScan: Scanning Networks for Global Vulnerabilities

GVScan: Scanning Networks for Global Vulnerabilities 1 GVScan: Scanning Networks for Global Vulnerabilities Fabrizio Baiardi, Fabio Corò and Federico Tonelli Department of Computer Science, University of Pisa, Pisa, Italy Email: [baiardi,fcoro,tonelli]@di.unipi.it

More information

Introduction to Nessus by Harry Anderson last updated October 28, 2003

Introduction to Nessus by Harry Anderson last updated October 28, 2003 1/12 Infocus < http://www.securityfocus.com/infocus/1741 > Introduction to Nessus by Harry Anderson last updated October 28, 2003 1.0 Introduction Nessus is a great tool designed to automate the testing

More information

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities Learning Objectives Name the common categories of vulnerabilities Discuss common system

More information

Linux Network Security

Linux Network Security Linux Network Security Course ID SEC220 Course Description This extremely popular class focuses on network security, and makes an excellent companion class to the GL550: Host Security course. Protocols

More information

Network security (Part II): Can we do a better job? "

Network security (Part II): Can we do a better job? Network security (Part II): Can we do a better job? Rattikorn Hewett Outline State of the practices Drawbacks and Issues A proposed alternative NSF SFS Workshop August 14-18, 2014 2 Computer Network Computer

More information

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked. This sample report is published with prior consent of our client in view of the fact that the current release of this web application is three major releases ahead in its life cycle. Issues pointed out

More information

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls Firewalls, Tunnels, and Network Intrusion Detection 1 Firewalls A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system.

More information

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability WWW Based upon HTTP and HTML Runs in TCP s application layer Runs on top of the Internet Used to exchange

More information

Evaluating Intrusion Detection Systems without Attacking your Friends: The 1998 DARPA Intrusion Detection Evaluation

Evaluating Intrusion Detection Systems without Attacking your Friends: The 1998 DARPA Intrusion Detection Evaluation Evaluating Intrusion Detection Systems without Attacking your Friends: The 1998 DARPA Intrusion Detection Evaluation R. K. Cunningham, R. P. Lippmann, D. J. Fried, S. L. Garfinkel, I. Graf, K. R. Kendall,

More information

Taxonomic Modeling of Security Threats in Software Defined Networking

Taxonomic Modeling of Security Threats in Software Defined Networking Taxonomic Modeling of Security Threats in Software Defined Networking Recent advances in software defined networking (SDN) provide an opportunity to create flexible and secure next-generation networks.

More information

S E C U R I T Y A S S E S S M E N T : B o m g a r B o x T M. Bomgar. Product Penetration Test. September 2010

S E C U R I T Y A S S E S S M E N T : B o m g a r B o x T M. Bomgar. Product Penetration Test. September 2010 S E C U R I T Y A S S E S S M E N T : B o m g a r B o x T M Bomgar Product Penetration Test September 2010 Table of Contents Introduction... 1 Executive Summary... 1 Bomgar Application Environment Overview...

More information

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4) Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus February 3, 2015 (Revision 4) Table of Contents Overview... 3 Malware, Botnet Detection, and Anti-Virus Auditing... 3 Malware

More information

Intel Security Certified Product Specialist Security Information Event Management (SIEM)

Intel Security Certified Product Specialist Security Information Event Management (SIEM) Intel Security Certified Product Specialist Security Information Event Management (SIEM) Why Get Intel Security Certified? As technology and security threats continue to evolve, organizations are looking

More information

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology Port Scanning and Vulnerability Assessment ECE4893 Internetwork Security Georgia Institute of Technology Agenda Reconnaissance Scanning Network Mapping OS detection Vulnerability assessment Reconnaissance

More information

VMWARE Introduction ESX Server Architecture and the design of Virtual Machines

VMWARE Introduction ESX Server Architecture and the design of Virtual Machines Introduction........................................................................................ 2 ESX Server Architecture and the design of Virtual Machines........................................

More information

SANS Top 20 Critical Controls for Effective Cyber Defense

SANS Top 20 Critical Controls for Effective Cyber Defense WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a

More information

Nessus Agents. October 2015

Nessus Agents. October 2015 Nessus Agents October 2015 Table of Contents Introduction... 3 What Are Nessus Agents?... 3 Scanning... 4 Results... 6 Conclusion... 6 About Tenable Network Security... 6 2 Introduction Today s changing

More information

Using Nessus to Detect Wireless Access Points. March 6, 2015 (Revision 4)

Using Nessus to Detect Wireless Access Points. March 6, 2015 (Revision 4) Using Nessus to Detect Wireless Access Points March 6, 2015 (Revision 4) Table of Contents Introduction... 3 Why Detect Wireless Access Points?... 3 Wireless Scanning for WAPs... 4 Detecting WAPs using

More information

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder. CMSC 355 Lab 3 : Penetration Testing Tools Due: September 31, 2010 In the previous lab, we used some basic system administration tools to figure out which programs where running on a system and which files

More information

Considerations In Developing Firewall Selection Criteria. Adeptech Systems, Inc.

Considerations In Developing Firewall Selection Criteria. Adeptech Systems, Inc. Considerations In Developing Firewall Selection Criteria Adeptech Systems, Inc. Table of Contents Introduction... 1 Firewall s Function...1 Firewall Selection Considerations... 1 Firewall Types... 2 Packet

More information

The Trivial Cisco IP Phones Compromise

The Trivial Cisco IP Phones Compromise Security analysis of the implications of deploying Cisco Systems SIP-based IP Phones model 7960 Ofir Arkin Founder The Sys-Security Group ofir@sys-security.com http://www.sys-security.com September 2002

More information

What IT Auditors Need to Know About Secure Shell. SSH Communications Security

What IT Auditors Need to Know About Secure Shell. SSH Communications Security What IT Auditors Need to Know About Secure Shell SSH Communications Security Agenda Secure Shell Basics Security Risks Compliance Requirements Methods, Tools, Resources What is Secure Shell? A cryptographic

More information

Cisco IPS Tuning Overview

Cisco IPS Tuning Overview Cisco IPS Tuning Overview Overview Increasingly sophisticated attacks on business networks can impede business productivity, obstruct access to applications and resources, and significantly disrupt communications.

More information

TECHNICAL NOTE 10/03 DEPLOYMENT GUIDANCE FOR INTRUSION DETECTION SYSTEMS

TECHNICAL NOTE 10/03 DEPLOYMENT GUIDANCE FOR INTRUSION DETECTION SYSTEMS TECHNICAL NOTE 10/03 DEPLOYMENT GUIDANCE FOR INTRUSION DETECTION SYSTEMS 19 NOVEMBER 2003 This paper was previously published by the National Infrastructure Security Co-ordination Centre (NISCC) a predecessor

More information

How To Set Up Safetica Insight 9 (Safetica) For A Safetrica Management Service (Sms) For An Ipad Or Ipad (Smb) (Sbc) (For A Safetaica) (

How To Set Up Safetica Insight 9 (Safetica) For A Safetrica Management Service (Sms) For An Ipad Or Ipad (Smb) (Sbc) (For A Safetaica) ( SAFETICA INSIGHT INSTALLATION MANUAL SAFETICA INSIGHT INSTALLATION MANUAL for Safetica Insight version 6.1.2 Author: Safetica Technologies s.r.o. Safetica Insight was developed by Safetica Technologies

More information

Exploiting Transparent User Identification Systems

Exploiting Transparent User Identification Systems Exploiting Transparent User Identification Systems Wayne Murphy Benjamin Burns Version 1.0a 1 CONTENTS 1.0 Introduction... 3 1.1 Project Objectives... 3 2.0 Brief Summary of Findings... 4 3.0 Background

More information

Lab 5.5.3 Developing ACLs to Implement Firewall Rule Sets

Lab 5.5.3 Developing ACLs to Implement Firewall Rule Sets Lab 5.5.3 Developing ACLs to Implement Firewall Rule Sets All contents are Copyright 1992 2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 1 of 8 Device Interface

More information

Ethical Hacking Agreement for External Network Security Unannounced Penetration Test

Ethical Hacking Agreement for External Network Security Unannounced Penetration Test Ethical Hacking Agreement for External Network Security Unannounced Penetration Test Agreement made on the (date), between (Name of Consultant) of (street address, city, state, zip code), referred to herein

More information

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1 Host Hardening Presented by Douglas Couch & Nathan Heck Security Analysts for ITaP 1 Background National Institute of Standards and Technology Draft Guide to General Server Security SP800-123 Server A

More information

Secure Networks for Process Control

Secure Networks for Process Control Secure Networks for Process Control Leveraging a Simple Yet Effective Policy Framework to Secure the Modern Process Control Network An Enterasys Networks White Paper There is nothing more important than

More information

Architecture Overview

Architecture Overview Architecture Overview Design Fundamentals The networks discussed in this paper have some common design fundamentals, including segmentation into modules, which enables network traffic to be isolated and

More information

Black Box Penetration Testing For GPEN.KM V1.0 Month dd "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!

Black Box Penetration Testing For GPEN.KM V1.0 Month dd #$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! Sample Penetration Testing Report Black Box Penetration Testing For GPEN.KM V1.0 Month dd "#$%&'#)*)&'+,-./0.-121.030045.5675895.467:;83-/;0383; th, yyyy A&0#0+4*M:+:#&*#0%+C:,#0+4N:

More information

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND Introduction > New security threats are emerging all the time, from new forms of malware and web application exploits that target

More information

Smokey: A User-Based Distributed Firewall System

Smokey: A User-Based Distributed Firewall System Smokey: A User-Based Distributed Firewall System Rachel Rubin Department of Computer Science University of California, Berkeley Berkeley, CA 94704 rrubin@cs.berkeley.edu Abstract Traditional intranets

More information

For more information email sales@patchadvisor.com or call 703.749.7723

For more information email sales@patchadvisor.com or call 703.749.7723 Vulnerability Assessment Methodology Today s networks are typically comprised of a variety of components from many vendors. This adds to the difficulties faced by the system administration staff, as they

More information

How To Prevent Hacker Attacks With Network Behavior Analysis

How To Prevent Hacker Attacks With Network Behavior Analysis E-Guide Signature vs. anomaly-based behavior analysis News of successful network attacks has become so commonplace that they are almost no longer news. Hackers have broken into commercial sites to steal

More information

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013 CS 356 Lecture 25 and 26 Operating System Security Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control

More information

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security

More information

Penetration Testing. Presented by

Penetration Testing. Presented by Penetration Testing Presented by Roadmap Introduction to Pen Testing Types of Pen Testing Approach and Methodology Side Effects Demonstration Questions Introduction and Fundamentals Penetration Testing

More information

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com SAINT Integrated Network Vulnerability Scanning and Penetration Testing www.saintcorporation.com Introduction While network vulnerability scanning is an important tool in proactive network security, penetration

More information

WHITE PAPER. An Introduction to Network- Vulnerability Testing

WHITE PAPER. An Introduction to Network- Vulnerability Testing An Introduction to Network- Vulnerability Testing C ONTENTS + Introduction 3 + Penetration-Testing Overview 3 Step 1: Defining the Scope 4 Step 2: Performing the Penetration Test 5 Step 3: Reporting and

More information

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows) Security principles Firewalls and NAT These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/) Host vs Network

More information

Sygate Secure Enterprise and Alcatel

Sygate Secure Enterprise and Alcatel Sygate Secure Enterprise and Alcatel Sygate Secure Enterprise eliminates the damage or loss of information, cost of recovery, and regulatory violation due to rogue corporate computers, applications, and

More information

IS TEST 3 - TIPS FOUR (4) levels of detective controls offered by intrusion detection system (IDS) methodologies. First layer is typically responsible for monitoring the network and network devices. NIDS

More information